ID

VAR-202210-0537


CVE

CVE-2022-38371


TITLE

Resource Exhaustion Vulnerability in Multiple Siemens Products

Trust: 0.8

sources: JVNDB: JVNDB-2022-018827

DESCRIPTION

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.7), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.21), APOGEE PXC Modular (BACnet) (All versions < V3.5.7), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.21), Desigo PXC00-E.D (All versions >= V2.3), Desigo PXC00-U (All versions >= V2.3), Desigo PXC001-E.D (All versions >= V2.3), Desigo PXC100-E.D (All versions >= V2.3), Desigo PXC12-E.D (All versions >= V2.3), Desigo PXC128-U (All versions >= V2.3), Desigo PXC200-E.D (All versions >= V2.3), Desigo PXC22-E.D (All versions >= V2.3), Desigo PXC22.1-E.D (All versions >= V2.3), Desigo PXC36.1-E.D (All versions >= V2.3), Desigo PXC50-E.D (All versions >= V2.3), Desigo PXC64-U (All versions >= V2.3), Desigo PXM20-E (All versions >= V2.3), Nucleus NET for Nucleus PLUS V1 (All versions < V5.2a), Nucleus NET for Nucleus PLUS V2 (All versions < V5.4), Nucleus ReadyStart V3 V2012 (All versions < V2012.08.1), Nucleus ReadyStart V3 V2017 (All versions < V2017.02.4), Nucleus Source Code (All versions including affected FTP server), TALON TC Compact (BACnet) (All versions < V3.5.7), TALON TC Modular (BACnet) (All versions < V3.5.7). The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server. Nucleus NET , Nucleus ReadyStart V3 , Nucleus Source Code A resource exhaustion vulnerability exists in several Siemens products.Service operation interruption (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-38371 // JVNDB: JVNDB-2022-018827

AFFECTED PRODUCTS

vendor:siemensmodel:apogee modular equiment controllerscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc36.1-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc200-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:apogee modular building controllerscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc22.1-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc001-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:nucleus readystart v3scope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc64-uscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:talon tc compactscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc00-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:nucleus netscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:apogee pxc compactscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:desigo pxc12-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc50-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc128-uscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc00-uscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:apogee pxc modularscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:nucleus source codescope:eqversion: -

Trust: 1.0

vendor:siemensmodel:desigo pxm20-escope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc100-e.dscope:lteversion:2.3

Trust: 1.0

vendor:siemensmodel:desigo pxc22-e.dscope:lteversion:2.3

Trust: 1.0

vendor:シーメンスmodel:apogee pxc compactscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc001-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc12-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:apogee modular building controllerscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:apogee modular equiment controllerscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxm20-escope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc00-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc64-uscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc36.1-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc00-uscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc22.1-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc22-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:apogee pxc modularscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:nucleus netscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:nucleus source codescope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc50-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:nucleus readystart v3scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc200-e.dscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc128-uscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc100-e.dscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-018827 // NVD: CVE-2022-38371

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-38371
value: HIGH

Trust: 1.0

productcert@siemens.com: CVE-2022-38371
value: HIGH

Trust: 1.0

NVD: CVE-2022-38371
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202210-513
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-38371
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: CVE-2022-38371
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-018827 // CNNVD: CNNVD-202210-513 // NVD: CVE-2022-38371 // NVD: CVE-2022-38371

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.0

problemtype:CWE-401

Trust: 1.0

problemtype:Resource exhaustion (CWE-400) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-018827 // NVD: CVE-2022-38371

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-513

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202210-513

PATCH

title:Siemens Nucleus NET and Nucleus ReadyStart Remediation of resource management error vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=210594

Trust: 0.6

sources: CNNVD: CNNVD-202210-513

EXTERNAL IDS

db:NVDid:CVE-2022-38371

Trust: 3.2

db:SIEMENSid:SSA-313313

Trust: 2.4

db:SIEMENSid:SSA-935500

Trust: 2.4

db:ICS CERTid:ICSA-22-286-07

Trust: 1.4

db:ICS CERTid:ICSA-22-286-12

Trust: 1.4

db:JVNid:JVNVU92214181

Trust: 0.8

db:JVNDBid:JVNDB-2022-018827

Trust: 0.8

db:AUSCERTid:ESB-2022.5099

Trust: 0.6

db:CNNVDid:CNNVD-202210-513

Trust: 0.6

sources: JVNDB: JVNDB-2022-018827 // CNNVD: CNNVD-202210-513 // NVD: CVE-2022-38371

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-313313.pdf

Trust: 2.4

url:https://cert-portal.siemens.com/productcert/pdf/ssa-935500.pdf

Trust: 2.4

url:https://cert-portal.siemens.com/productcert/html/ssa-313313.html

Trust: 1.0

url:https://cert-portal.siemens.com/productcert/html/ssa-935500.html

Trust: 1.0

url:https://jvn.jp/vu/jvnvu92214181/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-38371

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-286-07

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-286-12

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-286-07

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-38371/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5099

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-286-12

Trust: 0.6

sources: JVNDB: JVNDB-2022-018827 // CNNVD: CNNVD-202210-513 // NVD: CVE-2022-38371

CREDITS

Siemens reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202210-513

SOURCES

db:JVNDBid:JVNDB-2022-018827
db:CNNVDid:CNNVD-202210-513
db:NVDid:CVE-2022-38371

LAST UPDATE DATE

2024-08-14T12:05:51.421000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2022-018827date:2023-10-23T08:12:00
db:CNNVDid:CNNVD-202210-513date:2023-02-15T00:00:00
db:NVDid:CVE-2022-38371date:2024-05-14T16:15:25.167

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2022-018827date:2023-10-23T00:00:00
db:CNNVDid:CNNVD-202210-513date:2022-10-11T00:00:00
db:NVDid:CVE-2022-38371date:2022-10-11T11:15:10.297